Professional Documents
Culture Documents
Allianz Risk Barometer 2019
Allianz Risk Barometer 2019
Allianz Global Corporate & Specialty (AGCS) is the Allianz Group’s dedicated carrier for
corporate and specialty insurance business. AGCS provides insurance and risk
consultancy across the whole spectrum of specialty, alternative risk transfer and
corporate business.
Worldwide, AGCS operates with its own teams in 34 countries and through the Allianz
Group network and partners in over 210 countries and territories, employing almost
4,700 people of 70 nationalities.
AGCS provides insurance solutions to more than three quarters of the Fortune Global
500 companies, writing a total of €7.4bn gross premium worldwide in 2017.
2,415 86
respondents countries
2,882 22
responses industry sectors
3
Allianz Risk Barometer 2019
1 2
37% 37%
6 7
business interruption received more responses by
number
2 Fire, explosion ranks higher than new technologies
by number of responses
3 Climate change/increasing volatility of weather
ranks higher than loss of reputation or brand value
by number of responses
19% 19%
KEY
Risk higher than in 2018
Risk lower than in 2018
= No change in 2018
1 2018 risk ranking
ALLIANZ RISK
BAROMETER
TOP 10 GLOBAL BUSINESS RISKS FOR 2019 ↘ View the full Risk Barometer 2019 rankings here
3 4 5
8 9 10
13% 13% 9%
UK
“It’s no surprise to see changes in legislation and regulation
as the new top risk in the UK, jointly with cyber-attacks.
Uncertainty around Brexit, along with the increase in
the regulatory burden and global trade disputes, has
made confidence fragile. UK businesses also continue
to be occupied by the threat of cyber-attacks.”
TRACEY HUNT, DEPUTY CEO, AGCS UK Spain
Canada 1 = Business inte
“Regulatory and legislative changes continue to impact the
Canada risk outlook, including new privacy breach reporting
USA 2 Cyber inciden
obligations. Climate change and natural catastrophes remain 3 Changes in leg
in the Top 10, joined by environmental risks. Such threats 1 Business interruption
include pollution exposures caused by natural catastrophes 2 Cyber incidents
leading to BI. The demand for insurance solutions for 3 = Natural catastrophes
both these risks, including contingent BI, is on the rise.”
ULRICH KADOW, CEO, AGCS CANADA
Germany
“Cyber risks and BI are the biggest threats to German
businesses. As cyber incidents are increasingly the cause of BI,
both risks have become more intertwined. Ransomware attacks
such as NotPetya and WannaCry have led to large-scale
disruptions at companies and caused large losses worldwide.
Increasing connectivity and common IT infrastructure makes Brazil
all links in the supply chain susceptible to cyber incidents.
To effectively deal with these twin evils is therefore not an 1 = Cyber incidents
option, but an obligation for risk managers and insurers.”
CHRIS FISCHER HIRS, CEO, AGCS 2 = Business interruption
3 = Market developments
France
“French businesses are more and more concerned by the
increasing frequency and severity of cyber incidents, making
cyber the top risk for the first time ever in France.”
CORINNE CIPIÈRE, CEO, AGCS FRANCE
Italy
“Following a recent rise in the number of food recalls, product
recall becomes a notable new entry in the rankings in Italy (4th).” Asia Pacific
NICOLA MANCINO, CEO, AGCS ITALY “Businesses across Asia Pacific are deeply concerned about the
impact of BI. The average BI property insurance claim is now over
Spain €3mn. As manufacturing shifts east, and with growing frequency
“Recent cyber-attacks to important local institutions of natural catastrophe activity in the region, Asia Pacific is
explain the rapid rise of cyber incidents in Spain, increasingly exposed to these losses reflecting the importance
moving up from 4th to 2nd position year-on-year.” for companies to adopt a holistic approach to risk management.”
JUAN MANUEL NEGRO, CEO, AGCS SPAIN MARK MITCHELL, CEO, AGCS ASIA PACIFIC
This risk map shows the top three risks for businesses in selected countries.
Source: Allianz Global Corporate & Specialty
Snapshot: Top business risks around the world in 2019
ce UK Germany
er incidents 1 Changes in legislation/regulation (e.g. Brexit) 1 = Business interruption
ness interruption 1 = Cyber incidents 2 = Cyber incidents
explosion 3 = Business interruption 3 Changes in legislation/regulation
Italy
erruption 1 = Business interruption
nts 2 = Cyber incidents
gislation/regulation 2 Natural catastrophes
China
1 = Business interruption
2 Natural catastrophes
3 Fire, explosion
Africa
“Businesses in Africa are faced with political instability and policy uncertainty,
which are among the key risk factors that have an impact on business/investor KEY
confidence. For Africa to stay globally competitive, companies needs to be
at the cutting edge of technological advancement, yet new technologies can Risk higher than in 2018
also bring cyber incidents. It is vital that companies mitigate against risks Risk lower than in 2018
through modern risk management methods and trusted insurance solutions.”
THUSANG MAHLANGU, CEO, AGCS AFRICA No change from 2018
Allianz Risk Barometer 2019
EXECUTIVE
SUMMARY
Technology is breeding new threats as well as business models.
Traditional risks such as natural catastrophes continue to challenge
while other threats such as cyber, neck-and-neck with business
interruption at the top of the Allianz Risk Barometer for the first time,
reputational risk, increasing exposure to intangible assets and volatility
and consolidation in the corporate environment evolve daily.
A consequence of many of the other top risks in compared with almost €1.5mn from a fire/
the Allianz Risk Barometer, business interruption explosion incident, while losses from major events
(BI) is the top threat for companies for the can be in the hundreds of millions or higher.
seventh year running (37% of responses). Increasingly, cyber incidents bring their own BI
According to AGCS, the average BI property losses. Respondents rank cyber as the BI trigger
insurance claim now totals over €3mn ($3.4mn) at they fear most, given many companies’ primary
€3.1mn. This is more than a third (39%) higher assets can often be data, service platforms or
than the corresponding average direct property groups of customers or suppliers.
damage loss (€2.2mn) with these totals
significantly higher than five years ago. Losses BI loss was a hallmark of the WannaCry and
from the largest events can be in the hundreds of NotPetya malware attacks in 2017 which
millions or higher. disrupted shipping, logistics and manufacturing
companies. Insurers have seen a growing number
Businesses face an increasing number of BI of BI losses trigged by cyber incidents with
scenarios. Many can occur without physical industry claims exceeding $100mn.
damage but with high losses. Events such as
breakdown of core IT systems, product recall or Many incidents are the result of technical glitches
quality incidents, terrorism, political violence or or human error rather than malicious acts –
rioting and environmental pollution can bring analysis conducted by the UK’s financial services
1 BBC News, Yellow vest
businesses to a standstill, meaning firms may be regulator revealed a 138% increase in technology
protests ‘economic unable to provide products and services – or outages over a year but just 18% of reported
catastrophe’ for France,
December 9, 2018 customers stay away – having a devastating incidents were cyber-attacks.4
2 BI and cyber incidents effect on revenues. For example, retailers lost
tied on 37%. BI received
more responses by
about €1bn ($1.1bn) from four weekends of IT outages pose a significant risk. Incidents such
number – 1,078 to 1,052. protests in France at the end of 2018.1 In today’s as power surges or failed IT platform migrations
3 Average value of cyber
claim is €2,007,653 based
uncertain political landscape, legislative change can cost hundreds of millions. Reliance on IT
on 115 insurance industry such as the UK’s expected Brexit departure from service providers – such as cloud services, online
claims between 2013 and
2018.
the European Union in 2019 also poses a booking platforms and supply chain systems –
4 The Financial Conduct potential BI threat with supply chain disruption also brings potential contingent business
Authority, Cyber and
technology resilience in
anticipated. ↘ Page 10 interruption (CBI) exposures. A software glitch at
UK financial services, network equipment provider Ericsson disrupted
November 27, 2018
BI is joined at the top of the ranking for the first services for millions of mobile phone customers in
5 Reuters, Ericsson sorry for
software glitch that hits time by cyber incidents (37%) 2 . According to Europe and Japan in 2018 5 . In 2017, a four hour
mobile services in Britain
and Japan, December 6,
AGCS, even the average insured loss from a cyber outage at Amazon’s AWS cloud computing
2018 incident is now just over €2mn3 ($2.3mn) division impacted internet services, websites and
8
Executive Summary
other businesses. Companies lost approximately expected in 2019. Impact of fire, explosion
$150mn as a result6 . Longer outages could see incidents (6th 19%) is a perennial concern.
losses much closer to a billion dollars. ↘ Page 14 According to AGCS, fires (not including wildfires)
have caused in excess of €14bn ($15.9bn) worth
Increasing concern over cyber incidents follows a of insurance losses over the past five years,
watershed year of activity. Cyber crime costs an making it the top cause of loss for businesses.
estimated $600bn a year7 up from $445bn in
2014. This compares with a 10-year average New technologies (7th 19%) 9 present fantastic
economic loss from natural catastrophes of opportunities for business, including new ways to
around $200bn – three times as much. There is manage risk. However, as the number of
also a growing threat from nation states, which connected machines increases it also brings
use technology to steal valuable data and trade questions around security, data protection,
secrets, with implications for businesses. business continuity and third party liability, as
well as the potential for critical infrastructure
Impact of mega data breaches, privacy scandals breakdown. Unexpected consequences continue
and the introduction of the European Union’s to materialize, such as drone activity cancelling
General Data Protection Regulation – which has some 1,000 aircraft at the UK’s Gatwick airport in
also inspired tougher privacy rules and the threat December 2018. Meanwhile, product recalls,
of large fines elsewhere – are also occupying cyber incidents and executive conduct have all
companies’ thoughts. Cyber incidents are tainted the reputations of organizations in recent
increasingly likely to spark litigation, including years, affecting airlines, car manufacturers, banks
securities and consumer class actions. ↘ Page 12 and charities meaning protecting against loss of
reputation or brand value (9th 13%) takes on
Every company needs to adopt an IT security urgency in the social media age when crises
position which is adequate to its size, operations spread rapidly. Shortage of skilled workforce
and risk profile and invest in technological (10th 9%) appears in the top 10 global risks for
security solutions, proper backup mechanisms the first time with factors such as changing
and staff training. The last aspect is equally demographics, and Brexit contributing to its rise.
important, especially for small and mid-sized ↘ Page 18
enterprises, for which awareness of the growing
cyber threat and its link to loss of reputation is a Such a long and diverse list of threats requires new
growing concern. ↘ Page 22 risk management solutions, tools and partnerships
to manage and mitigate its potential impacts.
Major events such as hurricanes Michael and Insurance is increasingly providing tangible
Florence in North America, Typhoon Jebi in Japan assistance to intangible risks. Cyber insurance is
and more wildfires in California brought becoming a valuable part of incident response by
approximately $146bn8 of economic losses from providing companies access to specialist
natural catastrophes (3rd 28%) in 2018 coming consulting services which can help battle and
on the back of a record loss year in 2017. better prepare for events. Cyber BI insurance can
Respondents are concerned that recent activity defend against loss of income and costs from
could be a harbinger of increasing financial unavailability of data and systems caused by
losses and disruption ensuring climate change hacking, technical failure or employee error. Non-
(8th 13%) rises to its highest-ever position. In damage BI insurance indemnifies a business for
addition to damage and disruption to property, revenue loss from a disruptive event such as a
climate change is likely to have big implications protest or riot. Reputational risk insurance provides
for regulation and liability. Emissions targets are advisory and response costs in event of crisis.
already shaping industries like aviation and
shipping. Growing reporting and disclosure New technologies are also boosting risk analysis.
requirements will increase exposures for Insurers such as AGCS now utilize semantics 6 Guidewire Cyence Risk
companies and directors and officers. analysis to better understand supply chain risk, Analytics, MMC Cyber
Handbook 2018,
↘ Pages 16 and 20 drones to quickly assess catastrophe damage Evolution of Cyber Risks
and are partnering with insurtechs to identify Quantifying Systemic
Exposures
Businesses are more concerned about changes next generation litigation risks. In an increasingly 7 Center for Strategic and
in legislation and regulation (4th 27%) than 12 networked world, data from devices, factories International Studies,
Economic Impact of
months ago with trade wars, tariffs and ongoing and supply chains will provide an opportunity for Cybercrime – No Slowing
uncertainty over Brexit heightening fears about even better risk assessment through predictive Down
8 Swiss Re, December 18,
the resilience of supply chains. Market indicators and more flexible, tailored and timely 2018
developments (5th 23%) remains a top five risk solutions, with the ultimate aim being to 9 Fire, explosion and new
after 2018 was marked by record volatility, understand and manage risks more quickly in technologies tied at 19%.
Fire, explosion received
divergence and surprises, with more of the same order to prevent losses before they occur. more responses
9
Allianz Risk Barometer 2019
= 2019: 1 (37%)
5-year risk ranking Impact of business interruption (incl. supply Irrespective of whether it results from traditional
(% of responses
change disruption) is the major risk for exposures such as a fire at a manufacturing plant
and position):
2018: 1 (42%) companies for the seventh year in a row or a natural catastrophe which impacts
2017: 1 (37%) according to the Allianz Risk Barometer with production, a break in the supply chain due to
2016: 1 (38%) 37% of responses ranking it as one of the three property damages at the premises of a supplier or
2015: 1 (46%)
most important risks companies face in 2019. customer (often known as contingent business
Top risk in: Fittingly, it is joined at the top of the rankings for interruption [CBI]) or even a riot or civil unrest, BI
Canada the first time by cyber incidents (e.g. cyber can have a tremendous effect on a company’s
China crime, IT failure/outage, data breaches, fines revenues, even if the event occurred thousands of
Germany
Italy
and penalties) (37%) 1 which are increasingly miles away. And its impact can be one of the
Netherlands resulting in significant business interruption (BI) hardest risks to measure.
Poland losses of their own (see page 14).
Portugal Claims analysis from AGCS highlights the growing
Russia
Singapore “Cyber incidents can cripple a company’s relevance of BI as a consequence of losses in
South Africa operations and severely impair its ability to property insurance, heightened by today’s
South Korea deliver its services, yet they are just one of many increasingly interconnected and globalized
Spain loss triggers that can result in a BI for corporates,” business environment. Almost all large property
Switzerland
USA says Volker Muench, Global Practice Leader, insurance claims now include a major BI element,
Utilities & Services, IT Communication, AGCS. which typically accounts for the majority of the loss
Top risk in the “BI can be a consequence of many of the other when previously the split might have been nearer
following sectors:
top risks in this year’s Allianz Risk Barometer.” to 50:50. The average BI property insurance claim
Chemicals
Consumer Goods
Food & Beverages
Heavy Industry
Hospitality, Leisure,
Tourism WHICH CAUSES OF BUSINESS INTERRUPTION (BI) DO BUSINESSES FEAR THE IMPACT OF MOST?
Manufacturing
(incl. Automotive)
Mining
Oil & Gas
Power & Utilities
Renewable Energy
Retailing,
50% 40% 38% 28% 28%
Wholesale
1. Cyber incidents 2. Fire, explosion 3. Natural 4. Supplier failure, 5. Machinery
catastrophes lean processes breakdown1
Source: Allianz Global Corporate & Specialty. Figures represent the percentage of answers of all participants who responded (947). Figures don’t add
up to 100% as up to three risks could be selected.
1 Supplier failure ranks higher than machinery breakdown by number of responses
Cyber incidents ranks as the most feared BI trigger for business. Events such as the WannaCry and Petya
ransomware attacks and other recent incidents are increasingly bringing significant disruption and financial losses to
businesses. Yet technical failures or employee error are also frequent causes of cyber BI (see page 14).
BI and CBI losses are becoming larger and more complex as supply chains become leaner with greater concentration
on a smaller number of suppliers, particularly in industries like automotive, electronics and pharmaceuticals. An event
such as a small fire in these industries can bring huge losses.
“Today, a single fire event at a small supplier can cause significant supply chain interruptions in the automotive
industry, leading to a shortage of parts, for example,” says Volker Muench, Global Practice Leader, Utilities &
Services, IT Communication, AGCS. “We have seen insurance industry losses from such events in excess of €1bn
($1.1bn). With one fire, a plant can go down, manufacturing has to stop and supply chain losses are subsequently
generated. Machinery breakdown can have a similar effect.”
10
Major Risks in Focus: Business Interruption
now totals over €3mn ($3.4mn) at €3.1mn. This is HOW MUCH CAN BUSINESS INTERRUPTION COST?
more than a third (39%) higher than the
corresponding average direct property damage
loss (€2.2mn)2 with both of these totals now
significantly higher than five years ago.
Political risk, violence and commotion events are For example, there have already been reports that
also happening more often than in the past, says the UK is running out of food warehousing space
Muench, and the indirect impact of such incidents as retailers and manufacturers rush to stockpile
can result in BI and loss of income either from amid fears of a no-deal Brexit4 . Frozen and chilled
production having to be halted or customers food warehouses are fully booked for six months,
staying away from affected areas. The fall-out with customers being turned away, due to fears
from events such as rioting and protesting in the supply chain will be interrupted after the UK’s
France during November and December 2018 can planned departure from the EU.
be costly. For example, the French retail federation
told Reuters news agency that retailers had lost PLANNING FOR BI
about €1bn ($1.1bn) since the protests first began
on November 173. BI risk can be physical, virtual, reputational and
always financial – and therefore should be well-
BI can also emerge when companies experience planned for. Companies can often underestimate
environmental issues such as pollution happening the complexity of getting back to business but risks
at a manufacturing site, on residential real estate can be mitigated. A sound business continuity plan
1 Business interruption and
or through pipeline spills. This is an often should be written and tested in a tabletop exercise cyber incidents are tied
overlooked BI exposure. Expenses and supply to be effective. Ideally, the tabletop exercise at the top of the ranking
at 37%. However business
chain disruption can quickly grow as a result of should be prepared well in advance and designed interruption received
more responses by
lengthy remediation, reconstruction and delays to test location-specific vulnerabilities. number – 1,078 to 1,052
during which firms may be unable to operate or 2 Based on analysis of
provide products or services. Insurers such as AGCS support businesses 1,175 corporate
insurance claims which
further though provision of new insurance have both a property
damage and business
Meanwhile, in today’s uncertain political and solutions such as cyber BI policies or non- interruption loss
business landscape, changes in regulation and damage BI coverage, which indemnifies a component
legislation, such as the UK’s expected Brexit business for lost revenue due to disruption from 3 BBC News, Yellow vest
protests ‘economic
departure from the EU at the end of March 2019, an event. AGCS also utilizes semantics analysis catastrophe’ for France,
December 9, 2018
also bring significant BI risk. to better understand supply chain risk. This
4 The Guardian, UK
enables mapping of supplier relationships down running out of food
“Supply chain disruption could be caused by the to the fourth tier in order to help identify any warehouse space as no
deal Brexit fears rise,
closing of borders,” says Muench. “If a exposure or accumulation issues. November 18, 2018
11
Allianz Risk Barometer 2019
= 2019: 2 (37%)
5-year risk ranking For the first time, cyber incidents is neck-and-neck Recent mega data breaches include Equifax (143
(% of responses and
with business interruption (BI) at the top of the million individuals), Facebook (50 million) and
position):
2018 2 (40%) Allianz Risk Barometer – with the two risks Uber (57 million). Meanwhile, the data breach
2017 3 (30%) increasingly interlinked, reflecting the magnitude which impacted around 380 million2 customers of
2016 3 (28%) of the threat now posed by a growing dependence Marriott hotels at the end of 2018 is one of the
2015 5 (17%)
on technology and the malicious actions of nation largest on record.
Top risk in: states and criminals.
Austria The number of cyber-attacks worldwide doubled
Belgium Incidents, such as cyber crime, privacy breaches, BI in 2017 to 160,000, although endemic
Brazil
France
(including ransomware and distributed denial of underreporting means the true figure could be as
Hong Kong service (DDoS) attacks) can trigger extensive losses. high as 350,000, according to the Online Trust
India Cyber crime generates the headlines but often it is Alliance3. At the same time, the average cost of a
New Zealand more mundane technical failures, IT glitches or cyber-attack has increased 62% over the past five
UK
human error which frequently cause system years, according to Ponemon Institute and
Top risk in the outages or data losses for business. The fall-out Accenture4 . A typical data breach now costs a
following sectors: can be costly. According to AGCS analysis of company $4mn, according to Ponemon, but very
Aviation insurance industry claims over the past five years, large breaches can cost hundreds of millions – the
Entertainment &
Media even the average insured loss from a cyber incident cost of the Marriott breach is estimated between
Financial Services is now in excess of €2mn ($2.3mn) compared with $200mn and $600mn by AIR Worldwide5.
Government & almost €1.5mn from the average claim for a fire/
Public Services
explosion incident1 , with losses from the largest RISING REGULATION AND LITIGATION
Professional
Services events in the hundreds of millions or higher.
Technology An important factor driving the cost of data
Telecommunciations Increasing concern about cyber incidents follows a breaches is regulation and litigation. In May 2018,
watershed year. In the wake of the highly disruptive the GDPR entered force, introducing greater
global WannaCry and NotPetya malware attacks, privacy rights for consumers and greater
2018 witnessed a stream of major IT outages, enforcement powers for regulators, backed by the
mega data breaches and privacy scandals, as well threat of large fines. Other jurisdictions have since
as landmark data protection rules in the EU’s announced plans to introduce tougher privacy
General Data Protection Regulation (GDPR). laws inspired by the GDPR ranging from California
to Brazil to India. Canada and Australia have also
“Cyber risk has been a major risk for a number of established mandatory breach notification
years, ever since IT moved from being a support regimes, in line with the GDPR and similar
function to a core, business-critical asset,” says requirements in the US.
Marek Stanislawski, Deputy Global Head of
Cyber and Tech PI, AGCS. “Finally we have “GDPR and similar regulations are the ‘new
reached an important point where cyber is equally normal’ in which we all need to find our way to
concerning for our customers as their major operate,” says Stanislawski.
‘traditional’ exposures, which means that entities
across all industries and business segments now Cyber incidents are also increasingly likely to spark
have this risk firmly on their radars.” litigation, including securities and consumer class
actions. Data breaches, IT outages and cyber
MEGA DATA BREACHES AND ATTACKS SOAR security incidents can generate large third party
liabilities, as data subjects, shareholders and
As organizations hold more and more personal supply chain partners seek to recoup losses from
data, breaches are increasing in size and cost. companies and in some cases their directors.
12
Major Risks in Focus: Cyber Incidents
Already a feature of US data breaches, class hackers take control of 50,000 connected printers
actions have spread to Europe, giving consumers around the world to create posters supporting
the right to claim non-financial damages, such as vlogger PewDiePie10.
for distress. A number of recent data breaches,
including that of British Airways, one of the first “SILENT CYBER” BECOMES MORE NOISY
significant breaches under the GDPR, have
triggered class actions in the UK while a landmark The WannaCry and NotPetya malware attacks
case against Morrisons has seen the retailer held highlight the growing risk of BI (see page 14) and
vicariously liable for a breach in the UK’s first even physical damage from malware and other
successful data breach class action6. cyber incidents. They also have accelerated
discussions around cyber insurance and in
EVOLVING THREATS particular the need for affirmative cover.
Cyber crime has become pervasive as criminals The NotPetya attack is expected to generate
use more innovative methods to steal data, around $3bn in losses for insurers, according to
commit fraud or extort money. Worldwide, Property Claims Services. However, some 90% of
cybercrime costs an estimated $600bn a year7, this total can be attributed to so-called “silent
according to the Center for Strategic and cyber” exposure, with only 10% covered by
International Studies (CSIS), up from $445bn in affirmative cover. Non-affirmative cover is where
2014. This compares with a 10-year average cover for cyber incidents may exist in traditional
economic loss from natural catastrophes of property/casualty (P&C) policies, even though this
around $208bn8 – three times as much. was not the intention of the underwriter.
However, the past year has also witnessed a “Silent” or non-affirmative cyber exposures lead to
growing threat from nation states, which inadequate protection for businesses with a lack of
increasingly use technology to play out rivalries certainty and transparency for all parties involved.
and conflicts, with implications for businesses. As part of a group-wide project, Allianz has
Nation states and affiliated hacker groups have reviewed cyber risks in its P&C policies in the
targeted universities and public sector agencies, commercial, corporate and specialty insurance
looking to steal valuable data and trade secrets, segments and developed a new underwriting
1 Allianz Global Corporate
as well as the networks and industrial control strategy to address “silent cyber” exposures. & Specialty, Average
systems (ICS) of critical infrastructure companies. cyber loss value based on
115 claims with cyber as
NotPetya was attributed to Russian-backed “We will make it clear how cyber risks are covered cause of loss. Average
hackers targeting Ukraine while energy companies in traditional policies and for which scenarios a fire/explosion loss value
– Global Claims Review,
in the Middle East have been hit with destructive dedicated cyber insurance solution is needed,” The Top Causes of
Corporate Insurance
malware attacks. says Emy Donavan, Global Head of Cyber and Losses
Tech PI, AGCS. 2 Reuters, Marriott cuts
IOT AND NEW TECH estimate on size of
massive Starwood hack,
“Risk transfer is a vital element of cyber risk January 4, 2019
Advancements in technology are also generating management, but, today, cyber insurance goes 3 Online Trust Alliance,
Cyber Incidents Trends
new cyber threats and vulnerabilities. beyond this,” adds Stanislawski. “It can be a Report, January 2018
Organizations are concerned about the effect of valuable part of incident response, providing 4 Accenture, 2017 Cost of
Cyber Crime Study
increasing interconnectivity and developments companies with contacts to specialists and
5 AIR Worldwide, AIR
such as automation and artificial intelligence. consultants who can help battle the incident but estimates losses for the
Marriott breach will be
also better prepare for events before they happen. between USD 200 million
Vulnerability is also growing with the increase in and USD 600 million
connected devices, with the Internet of Things (IoT), “Every company needs to adopt an IT security 6 BBC News, Morrisons
loses data leak
Industry 4.0 and digitalization of supply chains, position which is adequate to its size, operations challenge, October 22,
2018
which create new attack fronts for criminals and and risk profile and invest in technological security
7 Center for Strategic and
nation states to exploit. solutions, proper backup mechanisms and staff International Studies,
training. The last aspect is possibly the easiest one Economic Impact of
Cybercrime – No Slowing
According to cyber security firm Kaspersky, over to miss but is equally important, especially for small- Down
three quarters of the companies it surveyed expect and mid-sized enterprises. 8 Swiss Re, Preliminary
sigma estimates for 2018,
to become a target of a cyber security attack in December 18, 2018
the ICS space9. However, only 23% are compliant “Companies need to think about all of their 9 Kaspersky, The State of
Industrial Cybersecurity
with minimal cybersecurity guidance or employees as members of the cyber security team 2018
regulations of ICS. In 2016, a DDoS attack against and provide them with proper training and 10 BBC News, PewDiePie
internet company Dyn used a botnet army of empowerment to transform their staff from the printer hackers strike
again, December 16,
corrupted IoT devices, while December 2018 saw ‘weakest link’ to the ‘first line of defense’.” 2018
13
Allianz Risk Barometer 2019
SPOTLIGHT ON…
CYBER BUSINESS
INTERRUPTION
Whether resulting from cyber-attacks or, more frequently,
from system outages or failures, cyber incidents are now a
major cause of business interruption for today’s networked
companies whose primary assets are often data, service
platforms or their groups of customers or suppliers.
Business interruption (BI) following a cyber “As all businesses embrace digital business
incident has emerged as a key risk for models, success is highly dependent on the
businesses, with an increasing number of technology facilitating the business,” says Georgi
scenarios leading to disruption. For the first time Pachov, Global Practice Leader, Cyber, AGCS.
in the Allianz Risk Barometer, survey participants “Revenue streams can be easily interrupted
indicated that cyber incidents were of a similar following abnormal technological behavior.
level of concern to the closely related risk of BI, Cyber incidents leading to BI will become much
which has ranked as the top peril in the survey more frequent in future due to the massive
over the past seven years. reliance on technology and data for running
businesses. In the age of the ‘Internet of Things’, if
For many companies, this is where their big two manufacturing devices cannot communicate
exposure lies today. Think of a large and exchange data with each other this will
organization that has a very sophisticated inevitably lead to a business disruption.”
supply chain and an operation that produces
millions of dollars in revenue – daily or monthly. LOSS ACTIVITY
Depending on the size of the organization, if it
shuts down for technical issues in a cyber Business interruption was a hallmark of the
incident, that will trigger a significant loss. WannaCry and NotPetya malware attacks in
2017, causing large losses for a number of WHAT ARE THE TOP EMERGING BUSINESS RISKS FOR
shipping, logistics and manufacturing companies. THE NEXT THREE TO FIVE YEARS?
Companies such as Maersk and FedEx saw losses
of $300mn from the NotPetya event, while
Cyber
consumer goods manufacturer Reckitt Benckiser
reported £100mn ($130mn) in loss revenues.
incidents 48%
Malware attacks have continued to trouble New
companies – semiconductor maker Taiwan
technologies 30%
Semiconductor Manufacturing Company, a key
supplier to Apple, lost over a day of production Changes in legislation/
after a virus infected machinery at plants in regulation (e.g. trade wars
and tariffs, Brexit etc.)
28%
Taiwan in August, 2018. The virus was a variant
of WannaCry. Meanwhile, the ports of
Barcelona and San Diego were both victims to Source: Allianz Global Corporate & Specialty.
Figures represent the percentage of answers of all participants who responded
ransomware attacks which impacted servers (2,415). Figures don’t add up to 100% as up to three risks could be selected.
and administrative systems in September 2018,
as was the shipping company COSCO in July,
which also saw its IT systems disabled in the US.
Insurers have seen a growing number of BI
claims trigged by cyber incidents with claims of €300mn 5 . The FCA says bank outages have
that exceed $100mn1 . risen 138% in the past year6 .
FREQUENT HUMAN ERROR AND TECHNICAL FAILURE Reliance on IT and technology service providers
– such as cloud services, online booking
Cyber incidents rank as the BI trigger most feared platforms and supply chain systems – also
by businesses, and BI is also the biggest cause of brings potential contingent business interruption
1 Allianz Global Corporate
economic loss for businesses after a cyber (CBI) exposures. A software glitch at network & Specialty, Global
incident, according to Allianz Risk Barometer equipment provider Ericsson disrupted services Claims Review, The Top
Causes of Corporate
respondents. Loss of revenues and additional for millions of mobile phone customers in Insurance Losses
costs of working can be incurred from malicious Europe and Japan in 20187. When Visa suffered 2 The Financial Conduct
Authority, Cyber and
acts, but more often than not are the result of an outage in 2018, it affected the payment card technology resilience in
technical glitches or human error. According to services used by banks and retailers across UK financial services,
November 27, 2018
the Financial Conduct Authority (FCA), only 18% Europe. Similarly, in 2017, a four hour outage at 3 Kroll, Data breach
of all cyber incidents reported to the UK regulator Amazon’s AWS cloud computing division reports to Information
Commissioner increase
were cyber-attacks2 , while 82% were the result of impacted a number of internet services, by 75%, September 4,
technology issues. Meanwhile, analysis of data websites and other businesses. It was reported 2018
4 Financial Times, BA faces
breaches by Kroll found that 88% of data the outage was caused by human error. £80m cost for IT failure
breaches were caused by human error, and just Guidewire Cyence Risk Analytics estimated that that stranded 75,000
passengers, June 15,
12% were the result of a cyber-attack 3. companies in the S&P 500 dependant on 2017
Amazon’s services lost approximately $150mn 5 Reuters, Spain’s Sabadell
exceeds forecasts despite
GROWING OUTAGE AND CBI EXPOSURES as a result 8 . TSB outage costs,
October 26, 2018
IT outages have emerged as a significant It has been estimated that in the event of an 6 The Financial Conduct
Authority, Cyber and
exposure as organizations become reliant on outage at a cloud service provider lasting more technology resilience in
UK financial services,
technology to conduct everyday business. The than 12 hours losses could total as much as November 27, 2018
airline sector has experienced a number of $850mn in North America and $700mn in Europe, 7 Reuters, Ericsson sorry for
technology-related outages, including a major based on 50,000 companies in three specific software glitch that hits
mobile services in Britain
outage in 2017 which occurred after a power industry sectors (financial, healthcare and retail) and Japan, December 6,
2018
surge on reconnection knocked out British being impacted by the outage in each region9.
8 Guidewire Cyence Risk
Airways systems over a holiday weekend Analytics, MMC Cyber
affecting 75,000 passengers and costing it “A single point of failure can trigger a chain Handbook 2018,
Evolution of Cyber Risks
£80mn, according to initial estimates 4 . reaction across the value chain, including Quantifying Systemic
Exposures
suppliers to the final customer, and cause a
9 Guidewire Cyence Risk
Customers at UK bank TSB suffered months of severe business interruption and accumulation Analytics, Allianz Global
disruption in 2018 after a failed IT platform for insurers,” says Pachov. “The same event can Corporate & Specialty,
Allianz Risk Barometer
migration – the incident cost the bank in excess trigger a significant reputational loss.” 2018
15
Allianz Risk Barometer 2019
= 2019: 3 (28%)
“Although there has not been a single major NAT CAT ACTIVITY SEES RISE IN
natural catastrophe event comparable in size CLIMATE CHANGE RISK PERCEPTION
with the 2017 hurricane events, the 2018
aggregated losses from multiple smaller and Allianz Risk Barometer respondents fear that
mid-sized events have led to considerable overall recent natural catastrophe and extreme
insured losses,” says Cosmin Tanasescu, Head of weather activity could be a harbinger of
Catastrophe Risk Research & Development, increasing financial losses and disruption
AGCS. “We can think of 2018 as the ‘little brother ensuring climate change/increasing volatility
year of 2017’ when it comes to the hurricane of weather (8th, 13% of responses) rises to its
impact in the Northern Atlantic.” highest-ever position in the global risk ranking
(see page 20).
Natural catastrophe activity is expected to
account for over $70bn of 2018’s insured Climate change is omnipresent in all regions
catastrophe losses, with events such as around the world. Melting sea ice and polar ice
hurricanes Michael and Florence in North shields resulting in rising sea levels, increasing
America; typhoons Jebi and Mangkhut in Asia; permafrost thawing, droughts and heat waves
wildfires in California; floods in India; and in some areas and heavy precipitation in others
earthquakes in Japan, Indonesia and Papua are some of the commonly understood impacts
New Guinea, contributing to this total loss figure. of a warming climate. Generally, these impacts
Although there may not have been an event of are expected to intensify in the coming decades.
16
Major Risks in Focus: Natural catastrophes
September 2018. Total precipitation amounts future risk levels due to direct or indirect 2 Munich Re, The natural
disasters of 2018 in
causing landslides and flash floods were highly impacts of climate change.” figures, January 8, 2019
17
Allianz Risk Barometer 2019
5 MARKET DEVELOPMENTS
23% 2018: 4 (22%)
2018 was marked by record volatility, divergence and surprises. 2019 should be
under the same auspices, says Ludovic Subran, Chief Economist of Euler
Hermes and Deputy Chief Economist of Allianz. Last year high US growth
entailed tighter financing conditions especially in emerging markets. Oil prices
also ranged between $57/bbl and $87/bbl, creating negative surprises for oil
importers over the fall.
Divergence between the US and the rest of the world was very visible with higher
growth in the US contrasting with the slowdown in Europe and Asia. Financial
markets also went through rough rides as surprises on data breaches and
negative news on zombie companies (highly indebted compared to their profits)
corrected stock prices. In addition, multinationals, especially exporters, were
negatively perceived in the context of trade wars. For example, automotive
companies have been through a perfect storm: mobility disruption, trade war, and
regulatory shocks. Through 2019, the cost of uncertainty will prevail, as well as
rapidly changing political backdrops and possibly the return of risk of
expropriation and confiscation. Market consolidation continues in vulnerable
sectors (energy, machinery and equipment, retail).
18
Top Business Risks: 4-10
FIRE, EXPLOSION 6
19% = 2018: 6 (20%)
Insurance industry loss research by AGCS shows that fire and explosion incidents
cause the largest claims for insurers and the businesses they cover. Such events
account for almost a quarter (24%) of the value of more than 470,000 corporate
insurance industry claims analyzed over a five-year period up to 2018, compared
with the second major cause of loss which is aviation collision/crash (14%) 1 .
This means that fire and explosion incidents such as building/factory fires,
electrical fires and gas explosions (but not including wildfires) have caused in
excess of €14bn ($15.9bn) worth of insurance losses from more than 9,500
claims and are responsible for more than half (11) of the 20 largest non-natural
catastrophe loss events analyzed over the past five years. As industries such as
manufacturing have become more efficient, values at risk per square meter
have risen exponentially meaning claims and losses are much more expensive
than a decade ago. Even the average claim from a fire/explosion incident totals
almost €1.5mn at €1.47mn today.
NEW TECHNOLOGIES 7
19% = 2018: 7 (15%)
New technologies present fantastic opportunities for business, including new ways
to manage and reduce risk. However, new technologies also bring risk, sometimes
with unexpected consequences. For example, illegal drone activity led to the
cancellation of some 1,000 aircraft at Gatwick airport in the UK in December 2018.
By 2025, the “Internet of Things” is expected to comprise more than 100 billion
connected devices with sensors collecting data from homes, factories and supply
chains. “This means better risk assessment through predictive indicators and
more flexible, tailored and timely solutions,” says Michael Bruch, Global Head
of Liability Risk Consulting/ESG, AGCS. At the same time, connected devices
raise questions around cyber security, data protection, business continuity and
liability, and increase the potential for critical infrastructure breakdown.
1 Allianz Global Corporate & Specialty, Global Claims Review, The Top Causes of Corporate Insurance Losses
19
Allianz Risk Barometer 2019
NEW TECHNOLOGIES
Digital ecosystems and platforms will provide the basis for a range of risk mitigation services that prevent damage
before it occurs. At the same time, concerns about the use, accuracy and security of data are increasing.
Artificial Artificial
intelligence 69% intelligence 67%
Autonomous
Data science
42% vehicles/mobility 43%
Blockchain
41% Blockchain
27%
Source: Allianz Global Corporate & Specialty. Source: Allianz Global Corporate & Specialty.
Figures represent the percentage of answers of all participants who responded (505). Figures represent the percentage of answers of all participants who responded (505).
Figures don’t add up to 100% as up to three risks could be selected. Figures don’t add up to 100% as up to three risks could be selected.
8 CLIMATE CHANGE/INCREASING
VOLATILITY OF WEATHER
13% 2018: 10 (10%)
Hurricanes, tropical cyclones and wildfires broke records in 2017 and 2018 –
insured losses from global catastrophes were $150bn in 2017, the highest ever.
The US National Climate Assessment warned that inaction over climate change
will lead to more intense storms, floods, droughts, heatwaves and wildfires,
generating hundreds of billions of dollars in annual losses by the end of the
century. The rising cost of climate change is already noticeable. Analysis shows
the number of weather-related/flood loss events has increased by a factor of
three to four since 1980 2 .
Left unchecked, climate change is likely to have huge economic, political and
social impacts – with implications for food and water security, health, migration
and conflicts. Indirect consequences include cultural and behavioral change (for
example, the sudden shift in consumer opinion around plastics or investors’ views
on fossil fuels). Climate change will also have big implications for regulation and
liability. Emissions regulations and targets are already shaping industries like
aviation and shipping, while growing climate change reporting and disclosure
requirements will increase exposures for directors and officers.
2 Munich Re, Trends in weather-related disasters - consequences for insurers and society, March 2016
20
Top Business Risks: 4-10
Protecting reputation and brand has taken on urgency in the social media age.
There are an estimated three billion social media users worldwide, while
Facebook Messenger and WhatsApp handle 60 billion messages a day ensuring
a reputational incident can quickly escalate out of control, but social media can
also help companies monitor and engage with customers. A study of 125
reputational events over the past decade by Pentland Analytics and Aon 4 found
the impact of reputation events on stock prices has doubled since the introduction
of social media. Effective planning and crisis management has become essential.
It is estimated a company could add as much as 20% of value or lose up to 30%
depending on its reputation risk preparedness and management in the
immediate aftermath of a crisis. Insurance can also provide tangible assistance to
an intangible risk, such as funding advisory and crisis response costs.
“Skilled workforce — and human capital more generally — has become the
scarce resource of the digital economy,” says Ludovic Subran, Chief Economist
of Euler Hermes and Deputy Chief Economist of Allianz. “Competition is fierce
to get new recruits with competencies in artificial intelligence, data science, or
‘frontier risk management’ such as managing cyber or reputational risk as most
of these jobs did not exist 10 years ago. Even attractive salaries do not suffice as
the pool of recruits with the needed skillset is limited and the urgency to onboard
them does not allow for on-the-job training.”
Regulatory change can also negatively impact. A UK study5 found that nine in 10
employers were struggling to recruit the skilled staff they need, with Brexit set to
make this worse. New talent must be recruited quickly. “Managers must embrace the
technological acuity of younger employees,” says Scott Steinmetz, Global Head of
MidCorp Risk Consulting, AGCS. “They must also focus on disruptive technologies
and ideas, as these may bring beneficial innovations. Machine learning and
automation can offset worker attrition, but requires significant investment.”
3 CNBC, Here are the scandals and other incidents that have sent Facebook’s share price tanking in 2018, November 20, 2018
4 Pentland Analytics and Aon, Reputation Risk In The Cyber Age - The Impact On Shareholder Value, August 2018
5 The Independent, Nine in 10 UK employers struggling to find skilled workers with Brexit set to make shortage worse, survey finds, June 12, 2018
21
Allianz Risk Barometer 2019
SME
CYBER AWARENESS GROWING
BUSINESS
exposure and are more apt to secure adequate insurance
cover than in the past, says Rajiv Iyer, Global Head of
MidCorp Package, Small Business and Casualty, AGCS.
RISKS
“This stems from the fact that advances in cloud computing
and social media have increased small companies’
exposures while large data breach events, such as the
Equifax breach and numerous other cyber security-related
issues have necessitated greater protection of customer
data. SME businesses see the need for adequate cyber cover
Awareness of the growing cyber threat to feel more protected in case of an event such as a breach.”
and its link to loss of reputation,
BI EXPOSURES STILL RELEVANT
weather woes and the impact of
changes in trade agreements, are the While cyber incidents increased in the small-sized company
major worries for multinational space, BI drops from first place to fifth in the ranking for
2019. For mid-sized companies, however BI is the top risk
SME businesses. concern. Iyer believes that BI claims, while admittedly lower
in value for SME businesses, remain an issue. A severe
Taken together, total responses from small- to mid- interruption can even have a terminal impact for smaller-
sized (SME) business experts account for about half sized companies, given the effect it can have on income and
of the total Allianz Risk Barometer responses (1,437 of revenues. Iyer sees significant BI exposure among SME
2,882). Business interruption (BI) is the top risk for businesses from natural catastrophe activity, cyber risk and
mid-sized enterprises (annual revenues over €250mn changes in legislation (see page 23).
but under €500mn) replacing cyber incidents in the
top spot year-on-year. Coincidentally, cyber incidents WEATHER WOES
is the top risk for small-sized enterprises (annual
revenues under €250mn), replacing BI which was the Natural catastrophe and weather volatility is another
top risk in 2018. major concern for SME businesses. Natural catastrophes
Source: Allianz Global Corporate & Specialty. Figures represent how often a risk was selected as a percentage of all responses for that company
↘ View the full risk size. Responses: 818. Figures don’t add up to 100% as up to three risks could be selected.
rankings for large,
medium and small Cyber incidents ranks as the top risk for small enterprises (32% of responses), up from 2nd (30%) year-on-
companies year, and as the second most important peril for mid-sized companies.
↘ View the full risk “SMEs worry about cyber-attacks and data breaches because their internal organization may not be as strong
rankings for 22 as larger companies,” says Volker Muench, Global Practice Leader, Utilities & Services, IT Communication,
industry sectors AGCS. “Survey results have shown that many SMEs have had data security problems, but have not always
reported them because they were afraid of the reputational damage this could cause, such as a loss of
contracts. We see a clear relationship between cyber and loss of reputation, especially for SMEs.”
22
SME business risks
TRADING IMPACTS
One risk concern that has increased significantly in both SME OUTLOOK
the small- and mid-enterprise space is changes in
legislation – from fifth to second year-on-year for small- In general, as the global economy slows down, SME
sized companies and from sixth to fourth for mid-sized businesses may see a residual slowdown in production in
firms. Renewed populism in many countries, as well as 2019. Tariff increases will have a residual effect on net
changes in trade agreements and outright trade wars, are income and operating cash flows for maintenance and
affecting multinational SME businesses. upkeep of facilities. SME companies with diversified
portfolios will be able to weather the possible downturn.
“Changes in the cost of goods based on tariff expansions Finally, cyber exposures will continue to threaten SMEs,
and increased protectionism remain a volatile factor for while changes to governmental regulations on data
our customers and businesses,” says Iyer. “This, in turn, security means SME insurers will have to tailor coverage to
causes swings in net income or cost of goods sold.” companies’ exposure-based needs.
Source: Allianz Global Corporate & Specialty. Figures represent how often a risk was selected as a percentage of all responses for that company
size. Responses = 619. Figures don’t add up to 100% as up to three risks could be selected.
Business interruption (BI) ranks as the top risk for mid-sized enterprises (38% of responses), up from 2nd
(37%) year-on-year. The impact of changes in legislation and regulation is a rising risk concern for SMEs.
23
CONTACT US
For more information contact your local Allianz Global
Corporate & Specialty Communications team.
USA Global
Sabrina Glavan Hugo Kidston Heidi Polke-Markmann
sabrina.glavan@agcs.allianz.com hugo.kidston@allianz.com heidi.polke@allianz.com
+1 646 472 1510 +44 203 451 3891 +49 89 3800 14303
www.agcs.allianz.com
Credits
Contributors:
Alejandra Larumbe Milla, Heidi Polke-Markmann, Patrik Vanheyden
Publications/Content Specialist:
Joel Whitehead (joel.whitehead@agcs.allianz.com)
Design:
Kapusniak Design
Images:
Adobe Stock/iStockPhoto
Editor:
Greg Dobie (greg.dobie@allianz.com)